[sclug] sclug Digest, Vol 94, Issue 4

Neil Haughton haughtonomous at googlemail.com
Thu Jul 7 12:02:54 UTC 2011

Thanks for the details. Food for thought.....


On 7 July 2011 13:00, <sclug-request at sclug.org.uk> wrote:

> Send sclug mailing list submissions to
>        sclug at sclug.org.uk
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://sclug.org.uk/mailman/listinfo/sclug
> or, via email, send a message with subject or body 'help' to
>        sclug-request at sclug.org.uk
> You can reach the person managing the list at
>        sclug-owner at sclug.org.uk
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sclug digest..."
> Today's Topics:
>   1. Re: Personalised web content filtering (Jeremy Hooks)
> ---------- Forwarded message ----------
> From: Jeremy Hooks <jeremyhooks at googlemail.com>
> To: haughtonomous at googlemail.com
> Date: Wed, 6 Jul 2011 15:25:01 +0100
> Subject: Re: [sclug] Personalised web content filtering
> Hi
> I'm new to this mailing list, although I've been subscribed for a couple of
> years and occasionally lurking. I thought I would chime in with my
> tuppence.
> With regard to IPCop, I have some experience (albeit rusty).  It is
> worth looking
> into the addons available for it.  It's been a while, but I seem to recall
> that there is one add on, "Block Out-going Traffic" (IIRC) which might be
> useful in addition to (say) whitelisting allowed sites.  With just web
> filter-
> ing, obviously everything else is left open.  Block out-going traffic will
> let
> you block everything else (probably using IPTables).  I seem to recall that
> you are right about IPCop not being able to do user based access control.
> However, it may be able to control access based on IP address - and if you
> use BOOTP that will also be machine address too (there is a DHCP server in
> IPCop, though it may be an addon).  Another option might be to setup VLANs
> (if
> your network allows) and force untrusted users' PCs to go via IPCop and
> allow
> full access for the others.
> Another option (though expensive) might be to give the employees two
> machines.
> One with full access and another with access only to the sourcecode and the
> secured internal network.  I imagine this would also require two
> separate networks (or virtual networks).
> One of the legitimate uses you mentioned was MSDN access, presumably so
> that
> they will be to download resources to install on the development machine.
>  You
> could run (say) an FTP server which bridges the secure and insecure
> networks to
> allow developers to download files to the insecure machine, upload to the
> server, then download to their development machine (perhaps after the file
> has
> been authorised).  Admittedly it is rather convoluted, but it is one option
> which you may not have considered.
> Obviously you can never be 100% secure and as you mentioned, this is
> largely
> an HR issue (in that you shouldn't be employing people you don't trust).
>  That
> said, you wouldn't give everyone full access to the personnel or finance
> data,
> nor the companies bank account and it is only sensible that when you give
> access, you do all you can to prevent abuse.
> Regards.
> _______________________________________________
> sclug mailing list
> sclug at sclug.org.uk
> http://sclug.org.uk/mailman/listinfo/sclug

More information about the Sclug mailing list